Security Policy

Back to Home

Last updated: May 29, 2026

Introduction

We build RECAM to keep your video private — live streams travel peer-to-peer over the Secure Reliable Transport (SRT) protocol, and your recordings and metadata stay on your iPhone or in your private iCloud. FRENCHMOB SAS operates no central video servers and cannot access your video, audio, or media.

Security researchers are part of how we keep it that way. If you find a vulnerability in our systems, we want to hear from you, and we'll work with you to fix it. This policy explains how to report safely, what's in scope, and what you can expect from us in return.

1. Reporting a Vulnerability

Email your report to security@recam.tv. Encrypted reports are welcome — our PGP key is at the bottom of this page — but encryption is optional.

To help us triage and fix the issue quickly, please include:

  • A clear description of the vulnerability and why it matters.
  • Step-by-step reproduction instructions, with proof-of-concept code, screenshots, or a video if you have them.
  • The affected URL or endpoint, or — for the app — the RECAM version and your iOS version.
  • Your assessment of the impact (what an attacker could do).

When investigating, please do not access, modify, delete, or exfiltrate data that does not belong to you. Use only your own test accounts and devices. If you stumble onto someone else's data, stop, and tell us in your report.

2. Our Commitments

When you report in good faith, here's what you can count on from us:

  • We acknowledge your report within 2 business days.
  • We complete substantive triage within 5 business days and let you know whether we can reproduce the issue.
  • We send status updates at least every 14 days until the issue is resolved.
  • We will not pursue legal action against researchers who act in good faith and follow this policy.
  • With your permission, we'll publicly credit you for the find. Prefer to stay anonymous? We'll respect that too.

3. In Scope

The following targets are in scope for testing:

  • Our web properties under *.recam.tv
  • The RECAM iOS app (App Store ID 6744159456)

We're especially interested in vulnerability classes such as:

  • Authentication or authorization bypass
  • Insecure direct object references (IDOR)
  • Server-side request forgery (SSRF)
  • Remote code execution (RCE)
  • Injection flaws, including SQL injection (SQLi)
  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF)
  • Sensitive-data exposure
  • Insecure handling of the peer-to-peer / SRT streaming path, or of local and iCloud storage
  • Supply-chain compromise (dependencies, build pipeline, third-party packages)

4. Out of Scope

The following generally do not qualify on their own, unless you can demonstrate a concrete, exploitable impact:

  • Unverified output from automated scanners
  • Missing security headers with no demonstrated impact
  • Reports about login or rate-limiting behavior without a working exploit
  • Self-XSS
  • Social engineering of our users or staff
  • Physical attacks against devices, offices, or staff
  • Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks
  • Vulnerabilities in third-party services we don't control
  • Email spoofing without a working exploit

5. What Is Not Permitted

To keep researchers, our users, and our service safe, the following are off-limits:

  • Accessing, modifying, or destroying data that isn't yours
  • Degrading, disrupting, or overloading our service
  • Phishing or otherwise social-engineering RECAM users or staff
  • Publicly disclosing a vulnerability before a fix has shipped

6. Coordinated Disclosure

We aim to fix high-severity issues within 30 days of confirming them. Some fixes take longer — for example, changes that depend on infrastructure work or on App Store review timelines — and we'll keep you posted if that's the case. We'll coordinate the timing and content of any public disclosure with you, and credit you as agreed.

7. Bounty

RECAM does not run a paid bug-bounty program today. What we can offer for an impactful, valid report is public credit, our sincere thanks, and — optionally — a free year of RECAM premium. We genuinely appreciate the time and skill that goes into responsible disclosure.

8. Updates to This Policy

We may update this policy from time to time. For the current security contact and its expiry, our /.well-known/security.txt file is authoritative.

9. PGP Public Key

If you'd like to encrypt your report, use the key below.

  • User ID: Guillaume Marolleau <security@recam.tv>
  • Fingerprint: 7757 61BE 7BB2 D8FD 0214 5549 D30A 359E DDB3 FA52
  • Algorithm: Ed25519 / Curve25519
  • Created: 2026-05-29
-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEahlprBYJKwYBBAHaRw8BAQdAhlu9CODN0//egMwmV3xDSguGJNQJwAqbGhiU
C/ise7K0J0d1aWxsYXVtZSBNYXJvbGxlYXUgPHNlY3VyaXR5QHJlY2FtLnR2Poiv
BBMWCgBXFiEEd1dhvnuy2P0CFFVJ0wo1nt2z+lIFAmoZaawbFIAAAAAABAAObWFu
dTIsMi41KzEuMTIsMCwzAhsDBQsJCAcCAiICBhUKCQgLAgQWAgMBAh4HAheAAAoJ
ENMKNZ7ds/pSPRABALoFhtxpN2B2cGKS3nbFfeML1SEWJ1kIe4ug0xNUn08GAP9X
rATAs+mnDmvyYIOMjiRcRm493WMLigx2wEBiqEmjC7g4BGoZaawSCisGAQQBl1UB
BQEBB0A4fBZcRXvlfqEBxPXNOFcERnM+3keF0e4GClIM8kCgYQMBCAeIlAQYFgoA
PBYhBHdXYb57stj9AhRVSdMKNZ7ds/pSBQJqGWmsGxSAAAAAAAQADm1hbnUyLDIu
NSsxLjEyLDAsMwIbDAAKCRDTCjWe3bP6UmcXAQC/gsGYYpL97JNws4t9VF1hWqJY
IlubzaHdFwlvP9IgUwEAuY6oMdOxyLLOtWg86LB+Ae06xKhHDdtEpgvh0R7qIwg=
=QFz1
-----END PGP PUBLIC KEY BLOCK-----